This article addresses the recent Log4j RCE.
Refer to the following links for more information:
Log4j and SFTP Gateway
SFTP Gateway v3 uses
logback for logging purposes, rather than
That being said, the following jar exists on SFTP Gateway:
This version falls outside the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
But more importantly, we are only using the
log4j-api and NOT the core
According to this article: https://logging.apache.org/log4j/2.x/security.html
The versions affected are the
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
SFTP Gateway does not include
log4j-core, because it does not use
SFTP Gateway uses
logback for logging purposes.
We use a library called
slf4j to translate
log4j API calls to
So, only the
log4j-api jar is included in SFTP Gateway.
Log4j apt package
On Google Cloud, we use Ubuntu 20.04. And the
log4j apt package is not installed.
[root@ip-172-31-4-141 sftpgw]# apt list installed log4j Listing... Done